Why Good Digital Privacy Legislation Is So Hard to Get Right
Clearly, we are in dire need of better legal protections related to our data, but that’s easier said than done
In 2018, the world watched in horror as any lingering delusions about our privacy online were dispelled. We learned that Russian intelligence agencies had manipulated our news feeds. We learned that U.S. intelligence agencies expanded their already extensive collection of internet communications. We learned that small-time crooks made fraudulent applications for credit cards and loans. Perhaps most important, the world realized that new corporate surveillance juggernauts had come on the scene. The advertising industry — led by Alphabet and Facebook — had built enormous digital dragnets just as invasive as anything built by the NSA or FSB.
It’s no wonder interest in privacy regulation has spiked.
The Cambridge Analytica scandal in particular was a watershed moment for public awareness around data privacy. It’s an interesting case study that highlights several of the problems with our current regulatory framework, or lack thereof. The scandal demonstrated the convoluted and surreptitious paths through which our data travels. It exposed how lots of individually innocuous bits of data can add up to something more insidious. And it revealed some of the ways our data can make us a target for state-run disinformation campaigns.
Aleksandr Kogan, a researcher at the University of Cambridge, got about 270,000 people to fill out a survey via Facebook back in 2014. Unbeknownst to those users, the app collected much more than their answers to the survey questions, including their likes, identifying information, location information, and the same information about those users’ Facebook friends. In total, data was harvested from nearly 50 million profiles. Kogan then sold this data to the British political consulting firm Cambridge Analytica. In 2018, Christopher Wylie blew the whistle as part of a Guardian exposé linking Cambridge Analytica and this harvested data to Donald Trump’s 2016 presidential campaign.
Facebook’s terms of service, even back in 2014, clearly forbade the transfer of collected data to third parties. Simultaneously, the terms of service agreement for Kogan’s app clearly indicated his intent to sell the data. The contradiction highlights Facebook’s historic attitude surrounding data privacy, which might generously be described as apathetic. Facebook authorized an app whose terms of service were in direct violation of their own rules — and then allowed that app to stay live for a year and a half. The whole fiasco is now the subject of an FTC investigation into Facebook.
We already knew no one reads social media platforms’ endless terms of service agreements — and that apparently includes Facebook’s app approval team — but when you break down the numbers, only 0.5 percent of impacted users were even given the opportunity to consent to Kogan’s harvest and sale of their personal information. The other 99.5 percent of users received no notice, no opportunity to consent, and they now have no recourse. This lack of informed consent is a widespread problem online. Terms of service are formidable documents riddled with legalese, and recent research suggests that most are entirely unintelligible to the average internet user, assuming they actually try to read them. Yet we’re legally bound by these agreements.
Big companies are simultaneously in the best position to abuse consumer data and in the best position to resist privacy laws.
From weather apps to Equifax hacks, the number of data collection vectors is staggering. Between Google, your ISP, your phone, your credit card company, and a complex web of tracking software, a nearly complete record of your internet browsing behavior, financial history, and physical location all likely exist. This data might be spread across a handful of servers owned by a handful of organizations, but that only means it takes a bit of effort for someone — a company, a government — to put the pieces together.
And make no mistake, this effort is being made.
All this data is bought and sold on aboveground and underground markets. It’s processed by clever algorithms. Value is extracted. Ads are sold. Opinions are manipulated and elections alongside them. People of interest are identified. Their activities are logged. People of noninterest may also have their activities logged, just in case they become “interesting” in the future.
Clearly, we are in dire need of better legal protections related to our data, but that’s easier said than done.
Legislating privacy is hard
Amid the torrent of data-based scandals, however, there have also been some promising legal developments. In Europe, the General Data Protection Regulation (GDPR) was passed in April 2016 and came into effect in May 2018. In June 2018, the California Consumer Privacy Act (CCPA) was signed into law and will go into effect on January 1, 2020.
Consider the “right to be forgotten,” which was first established in the European Union by a Spanish court case and later became enshrined as a provision in the GDPR. The provision empowers users to request that their personal information be deleted and compels corporations and agencies to comply with these requests.
The Electronic Frontier Foundation, a digital rights advocacy group, has long opposed the EU-style right to be forgotten. It argues that an overly broad right to be forgotten can be used to squelch freedom of expression and limit public access to relevant information and reporting. Hardly a theoretical concern, the GDPR has already been used to force Google to delist reporting about a convicted murderer. Finnish courts have upheld the forcible delisting, paving the way for further obfuscation and censorship of information that some consider to be in the public’s interest.
As Adam Schwartz, a senior staff lawyer for the EFF, told me, “We view this as an intrusion on the right to publish newsworthy information and the right of the public to access that information.” The EFF also believes users have a right to leave a platform and take their data with them, but it argues that individual rights to erasure must not run afoul of the public’s right to free expression and right to access information.
On the other hand, people deserve to have some parts of their past forgiven. We have rules governing our legal history, parts of which can be expunged, sealed, and redacted. These legal protections are effectively waived without a right to be forgotten. If anyone can type your name into Google and potentially find reporting about that expunged, sealed, and redacted past, what good are those legal protections?
Even if we had perfect privacy laws on the books, the existence of those laws is not enough to ensure good privacy outcomes.
It’s not just the conviction records of murderers being delisted in the EU. In a recent case, a Dutch surgeon won the right to have Google searches for her name delinked from a website featuring doctors who have been blacklisted. The surgeon was once suspended for negligence and then allowed to return to work by a disciplinary board, but the first Google search result for her name continued to point toward the blacklist after her reinstatement.
The surgeon’s lawyer said, “The disciplinary committee is not meant to be about punishment. It is meant to be correcting the doctor’s mistake so they can do the job next time.” This is an argument I hope we’re all sympathetic to — that people can overcome their past failings. Still, many people undergoing surgery might feel it’s their right to know about their surgeon’s disciplinary record.
This challenge highlights one of the major differences between the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). The CCPA explicitly carves out First Amendment exceptions for deletion requests and limits deletion requests to information collected from the individual, unlike the GDPR, which covers any information about the individual. Under the CCPA, Google could not be compelled to delink a person’s name from an unflattering article or a blacklist of doctors, because Google did not collect that article from that individual, but rather from a news publication.
Just as some have argued that the GDPR’s right to be forgotten is too broad, some will argue that the CCPA’s right to erasure is too weak to adequately protect individuals from data abuses. Still, their passage and implementation is a step toward greater transparency and protection regarding personal data and a signal that there is an appetite for privacy regulations.
While these laws are a clear win over the Wild West attitudes of the past decade, technology lawyer Elizabeth M. Renieris has raised a red flag over a “myopic focus on our data.” To date, digital privacy laws have been largely focused on data collected by corporations and mediated through contractual agreements. This hyperfocus on protecting data skews our attention away from the fact that people are the entities that need protection, and our data is just one avenue of many for abusing people’s privacy.
And what about protection from the government? In the United States, courts have been struggling to define what is a reasonable expectation of privacy for the contents of your phone. Up until recently, police could force U.S. citizens to unlock their phones with their fingerprint or via facial recognition, arguing that these biometric markers are not private — anyone can dust a surface you touched for your fingerprints or take photographs of your face. But a federal court in California recently ruled that this practice violates Fifth Amendment rights against self-incrimination.
It’s also hard to imagine the CCPA being applied to the NSA’s PRISM program, famously exposed by Edward Snowden and renewed for six more years in 2018. After so much hullabaloo over the emergence of the surveillance economy, the crafty veterans of surveillance have flown under the radar in recent years — which is exactly how they like it. With more nations investing seriously in cyberwarfare, strong countermeasures really are a matter of national security. Still, history is full of good reasons not to trust our intelligence agencies with overly broad surveillance capabilities.
The law is an ever-evolving compromise. There will surely be continued efforts to improve the existing laws, as well as court cases that force us to grapple with the more challenging aspects of privacy laws. But even if we had perfect privacy laws on the books, the existence of those laws is not enough to ensure good privacy outcomes.
Enforcing privacy legislation is hard
The challenges with enforcement are vast and varied. Google was fined €50 million ($56 million) early this year for GDPR violations in France, but profits for Google’s parent company, Alphabet, in the last quarter of 2018 totaled $8.9 billion; €50 million is chump change to Google. The company is surely more concerned with the $5 billion European antitrust judgment from July 2018.
Unlike smaller companies — which would be forced to comply or likely be bankrupted if they’re caught in violation of these rules — big firms have enough resources to engage in malicious noncompliance in addition to apathetic noncompliance. Just as Uber developed Greyball to deceive authorities, there will be (or already are) tools and services specifically developed to resist privacy regulations. Big firms are more likely to have the resources to invest in this kind of deception. This is especially frustrating for consumers, because Facebook, Google, and other big corporations are some of the worst privacy offenders out there.
Making matters worse, the modern artificial intelligence and machine learning tactics that are used to monetize consumer data require tons of data to work effectively. Big companies are simultaneously in the best position to abuse consumer data and in the best position to resist privacy laws.
The CCPA and GPDR also differ when it comes to whom their rules apply. The scope of the entities covered under the CCPA are limited to three kinds of companies: those with more than $25 million in gross revenue, those that come in contact with the personal information of 50,000 or more consumers per year, or those that earn more than 50 percent of their revenue from selling personal information.
The GDPR has no similar thresholds — if a business collects data and does business in an EU country, it is subject to the GDPR. Once again, the GDPR might be anticompetitive or the CCPA might be too weak, depending on your perspective. While the carve-outs in the CCPA may protect some small businesses, effective privacy laws still need sharp teeth to actually impact the business practices of massive incumbents like Google. To date, the €50 million fine against Google is the largest such penalty resulting from the GDPR. It’s not clear that these fines will add up to a real financial incentive for firms like Google.
There is also an insidious implication in these differences. While the GDPR defines controllers and processors as any “natural or legal person, public authority, agency or other body,” the CCPA’s limits on covered entities leaves out private individuals. A single online stalker may not have the kind of power Google does, but our laws should still protect citizens against interpersonal privacy violations. This is an example the myopia that Renieris warned about.
Plus, what happens when the government can’t—or won’t—act?
Schwartz reminded me during our phone call that FTC workers in the middle of investigating Facebook over the Cambridge Analytica scandal were furloughed due to the government shut down, adding, “There is the problem of regulatory capture. If you look at the Consumer Finance Protection [Bureau] or the FCC, there are many pro-company people appointed to these agencies.” A particular Verizon lawyer turned FCC chairman came to mind.
Covert data collection practices are definitionally hard to detect. Auditing every company to ensure they’re in compliance with relevant law would be an astronomical undertaking that isn’t sure to produce results. And even if we allocated significant public resources to monitoring and auditing companies for legal violations, many large corporations can afford to just keep violating the law and paying the associated fines, following the Wall Street model of compliance with financial regulations.
In order to bolster legal protections in the face of government weakness, Schwartz emphasized the right to private action: “If a company does not get your consent to collect data, then you should be able to file your own lawsuit against that company.”
How do you quantify the damage done when you don’t get that job or that apartment because the internet archived mistakes that you’ve outgrown?
The right of private action is a clear improvement over a system where only government agencies can bring legal challenges. Nevertheless, the pay-to-play nature of many legal systems effectively limits the right to private action to those who can afford a lawyer or those who have strong enough claims to attract a lawyer who will take the case on contingency — taking a share of the winnings in lieu of upfront payment. Which raises another challenging question for judges: How should damages be awarded in the event of privacy violations?
What is the cost of having your sexual preference revealed by Facebook without your consent? How do you quantify the damage done when you don’t get that job or that apartment because the internet archived mistakes that you’ve outgrown? If a company collects your data surreptitiously but only uses it to serve you targeted advertisements, are you entitled to damages? And if not, how does the company ever get punished for its underground collection policy?
Challenges, compromises, and differences notwithstanding, I’d much rather live in a jurisdiction covered by the GDPR or the CCPA than a jurisdiction that isn’t covered by either. The status quo is a nightmare. Protocols and infrastructure that were established in the 1990s — without an eye to privacy or an inkling of what the internet would become — make privacy very easy to violate. Moreover, the cost of violating a user’s privacy has been essentially nothing over the past few decades, and an entire economy has been built around that lack of risk.
Clearly, that has to change. But the difficulty with digital privacy law is multifaceted and hugely complex. It involves global connectivity and therefore spans just about every jurisdiction you can name. It is a deeply technical subject — sometimes only a few cutting-edge experts are aware of certain exploitable flaws. The technical aspects make most lawyers and policymakers ineffective at drafting good legislation. The ethical quandaries, the slow nature of policy, and the law’s historical focus on not disrupting everything renders most technologists ineffective.
These challenges highlight the need for greater collaboration and understanding between the technology community and the rest of the world, and especially between technologists and those in the political sphere. A compelling case can be made that the expanding gulf between technologists and Washington, DC, is a national security crisis. At the same time, this kind of collaboration is rightly chided as “regulatory capture” when champions of industry infiltrate the halls of government to further their former corporations’ agenda.
We desperately need better privacy regulation, but the people who understand the problem best are the ones benefiting most from the lack of regulation. Clearly, we need the expertise of specialists who deeply understand the internet and its vulnerabilities to properly address privacy concerns. But in an era rife with corporate overreach, regulatory capture, and extraordinarily powerful global conglomerates, it feels wrong to put those same people in charge of fixing the mess they’ve made.
The GDPR and CCPA are both promising first steps toward grappling with what the internet has enabled and become, but the road ahead is long and will be fraught with many unforeseen challenges.